NIST Is Updating Its Cybersecurity Framework

NIST is planning a significant update of its Cybersecurity Framework. At this point, it’s asking for feedback and comments to its concept paper.

  1. Do the proposed changes reflect the current cybersecurity landscape (standards, risks, and technologies)?
  2. Are the proposed changes sufficient and appropriate? Are there other elements that should be considered under each area?
  3. Do the proposed changes support different use cases in various sectors, types, and sizes of organizations (and with varied capabilities, resources, and technologies)?
  4. Are there additional changes not covered here that should be considered?
  5. For those using CSF 1.1, would the proposed changes affect continued adoption of the Framework, and how so?
  6. For those not using the Framework, would the proposed changes affect the potential use of the Framework?

The NIST Cybersecurity Framework has turned out to be an excellent resource. If you use it at all, please help with version 2.0.

EDITED TO ADD (2/14): Details on progress and how to engage.

Posted on January 30, 2023 at 7:13 AM6 Comments


Ted January 30, 2023 1:32 PM

The concept paper outlines six potentially significant changes in CSF 2.0.

The one that initially captured my interest was change #4, adding a “Govern” Function.

Elevating governance activities to a Function would also promote alignment of cybersecurity activities with enterprise risks and legal requirements.

What activities would fail under this function? And who would assume these responsibilities?

Clive Robinson January 31, 2023 4:11 AM

@ SpaceLifeForm,

Re : Who’s watching and why?

“Maybe NIST is wanting to learn what tech folk are paying attention to?”

NIST or “NIST’s little helpers”?

We know that cryptographers in Europe have been targeted by the Five-Eyes SigInt agencies in the past. For reasons that are not altogether clear, thus concerning, as at the very least your corespondence etc gets searched.

Then there have been “watering hole” attacks of security personnel in general. Originally such attacks were just “passive attacks” with “unknown persons” gathering information on people and organisations, in some cases to make “social engineering” attacks more believable. Later these attacks switched to being “active attacks” whereby the sites have been attacked with the intent not against the site, but against those who visit, to try and infect them. Which is why many now lump “Watering hole” attacks in with “supply chain” attacks. Which is not a good idea as still many watering hole attacks are APT “against the individual” not the organisations they work for.

I guess the question that arises for some is,

“Who’s watch list have you got on today?”

Thus more and more security researchers and the like are becoming more circumspect in behaviours becoming less overt and more covert. Which is not healthy for either the individuals or knowledge domain.

Clive Robinson January 31, 2023 5:13 AM

@ SpaceLifeForm, JonKnowsNothing, Winter

Re : UK 77th Brigade, DCMS, Cabinate Office, surveillance and counter-message activities.

I was not sure I should mention this, or not, but as others are starting to talk about it…

Although the UK Government has tried to keep a lid on it the activities of a number of UK Government agencies and UK Military units were tasked with what can only be described as surveillance, propaganda and truth-suppression behaviours under the direct authority of Ex P.M. Borris Johnson, in a way that would probably have shocked George Orwell.

It’s almost certain that the UK Government were not doing this alone or without the knowledge of US Goverment Agencies if not the Executive.

You can look up their behaviours and what they were upto and see in that how, some we thought were Trolls from the East may have been a lot closer to home.

Anyway if you want a quick overview by someone who was effected in a number of ways,

So much for “Modern Democracy” I did not realise just how much negative implications could be hidden behind a single word much as with “Representational Democracy” the preceading words totally flip the meaning of “Democracy”.

Jurgen van der Vlugt January 31, 2023 5:31 AM

Hm, I see mention of ISO 31000 as related standard for risk management to align with. Please don’t — the risk mgt community has a lot of trouble getting people off it; it’s a flawed approach.
[Since you ask: any ‘cyber’ risk is just another part of operational risk management, which takes an organisational view of risks not some bottom-up one — ‘Risk’ isn’t anything until you know the (ultimately: financial!) impact on all of the business, quantify that (likelihood and ‘all’ impacts of events (gross and net including the quality of BCM et al.), using e.g., scenario modelling, multiplication of lognormal distributions and Monte Carlo to calc risk) — all of that is over the head of 31k and ‘cyber sec’-compliance eager beavers. And I love long sentences yes.]

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.